Re: Bot Education

MelvinTheGrate wrote: For me, using Firefox, the capcha page flashes up for a few milliseconds, then goes blank, and the browser just sits there showing "Read www.google.com" in the status bar. ...

Almost the same for me in FF3 and FF8. After I click "GET STARTED", the CAPTCHA flashes by, and then https://amibotted.comcast.net/authorized.html just sits there, blank, with the status bar reading "Connecting to ssl.google-analytics.com". IE7 seems to work OK, except for the security certificate warning.

Re: Bot Education

ComcastJordan wrote:

Folks,

Thank you to everyone for their helpful input. We've taken everyone's ideas into consideration and are pleased to share a new site with all of you. The "Am I Botted" (https://amibotted.comcast.net)provides a great deal of the information requested by users to help identify and understand the bot issue specific to their home network. This site is considered an open-beta, so feel free to provide feedback for improvement.

Thanks.

Some feedback as requested, interesting website, I am amazed CC can even call this a beta, some more not ready for prime time software. If you are running IE9, and haven’t changed security settings for mixed content you will get a security warning “only secure content displayed“, so the “Get started“ button doesn’t work.

At that point, hit fn and f12 ( or whatever on your keyboard for f12) for the debugger and click console and refresh and you can see the security issues;

Now to see the other issues with this site, click validate on the top button bar, select multiple validations, check all of them, yes to run multiple validations. You will get a boat load of errors.

Not worth posting them all, needless to say, the software isn’t ready for my use. I will wait until they can provide secure and bug free software, but I won’t hold my breath. Makes me wonder who writes their software when a lowly user can find all these bugs in a few minutes.

Re: Bot Education

Thanks for the information ComcastJordan. The site says I am "in the clear," so I can't see if the information provided is useful for now. However, one of my LAN users will track something in soon enough, and I'll see how it works.

I hope your Customer Service folks are promptly trained to point customers to this site when you make it productional. I've spoken with them enough to say that they really need the help, and now that I've found this forum, I'll avoid talking to them every chance I get.

Also, I agree with the feedback you've received about your notifications. The popups and anonymous emails are off-putting.

Re: Bot Education

davegreen wrote:

Some feedback as requested, interesting website, I am amazed CC can even call this a beta, some more not ready for prime time software. If you are running IE9, and haven’t changed security settings for mixed content you will get a security warning “only secure content displayed“, so the “Get started“ button doesn’t work.

Not worth posting them all, needless to say, the software isn’t ready for my use. I will wait until they can provide secure and bug free software, but I won’t hold my breath. Makes me wonder who writes their software when a lowly user can find all these bugs in a few minutes.

Hi davegreen,

I informed 2 Comcast employees of this exact situation earleir this week and received no reposnse from one and was told to use compatability mode by the other, insisting it was totally tested on different browsers.

I agree it is not ready for primetime, as has been the case for some of Comcast's previous attempts.

I anxiously await their answers.

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'

Re: Bot Education

Folks,

Of course it's not ready for prime time. Perhaps I should have used the term "sneak peak"? We're looking for value of the data and suggestions on how we can make the site more useful. If a few certificate issues are easy enough to work out. I'd much rather hear whether the information provided is of use and whether the page helps folks get to the root of problems easier.

Re: Bot Education

jlivingood wrote:

The "Am I Botted?" page @ https://amibotted.comcast.net is now in beta. That means some things may not work right and we're seeking feedback on it. ;-) (cert issues noted)

Other than the cert issues, if I go to the FAQ re the Demo under Options, I select Export Image. then copy the URL, then select Go to Forums from the Options drop down and get taken to the forums, but when I select the tree icon to load an image and paste the URL from the demo i get the proverbial red X in the little square. Is that supposed to work in the Demo or am I doing something worng?

I guess I should add this is in IE9.

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'

Re: Bot Education

USAF_E-8_RET wrote:

Other than the cert issues, if I go to the FAQ re the Demo under Options, I select Export Image. then copy the URL, then select Go to Forums from the Options drop down and get taken to the forums, but when I select the tree icon to load an image and paste the URL from the demo i get the proverbial red X in the little square. Is that supposed to work in the Demo or am I doing something worng?

I guess I should add this is in IE9.

Thanks, USAF_E-8_RET. That image doesn't actually exist on the server. We will consider adding a sample so you can at least see what it would look like.

Re: Bot Education

While i see some information being presented in my case, I do not find it partucularly helpful. Below is what the current amibotted page shows for me. Unfortunately it does not get me any closer to pin pointing which connected device it came from. Between Phones, Ipads, Game Consoles and Computers I can have as many as 10 connected at any given time. And as pointed out some time back if the BOT goes dormant for a period of time it might be hard to locate. I get a Security Alert Email about every 6 to 8 days but this leaves me with a few questions that I have not seen presented as yet. For example, how often does Bot detection run? Or is it on all the time? Is it possible for Comcast to provide us with the destination IP address that triggered the bot alert? That might be a good way to backtrack to a specific PC. Also, what

standards are being used to evaluate activity and designate it as bot activity? Are there any stats on False Positives?

I appreciate the efforts that Comcast has made to make the program more meaningful. Please keep it going. I would love nothing better than to find a bot on any of my equipment and destroy it.

Re: Bot Education

rboski wrote:

While i see some information being presented in my case, I do not find it partucularly helpful. Below is what the current amibotted page shows for me. Unfortunately it does not get me any closer to pin pointing which connected device it came from. Between Phones, Ipads, Game Consoles and Computers I can have as many as 10 connected at any given time. And as pointed out some time back if the BOT goes dormant for a period of time it might be hard to locate. I get a Security Alert Email about every 6 to 8 days but this leaves me with a few questions that I have not seen presented as yet. For example, how often does Bot detection run? Or is it on all the time? Is it possible for Comcast to provide us with the destination IP address that triggered the bot alert? That might be a good way to backtrack to a specific PC. Also, what

standards are being used to evaluate activity and designate it as bot activity? Are there any stats on False Positives?

I appreciate the efforts that Comcast has made to make the program more meaningful. Please keep it going. I would love nothing better than to find a bot on any of my equipment and destroy it.

Re: Bot Education

rboski wrote:

While i see some information being presented in my case, I do not find it partucularly helpful. Below is what the current amibotted page shows for me. Unfortunately it does not get me any closer to pin pointing which connected device it came from. Between Phones, Ipads, Game Consoles and Computers I can have as many as 10 connected at any given time. And as pointed out some time back if the BOT goes dormant for a period of time it might be hard to locate. I get a Security Alert Email about every 6 to 8 days but this leaves me with a few questions that I have not seen presented as yet. For example, how often does Bot detection run? Or is it on all the time? Is it possible for Comcast to provide us with the destination IP address that triggered the bot alert? That might be a good way to backtrack to a specific PC. Also, what

standards are being used to evaluate activity and designate it as bot activity? Are there any stats on False Positives?

I appreciate the efforts that Comcast has made to make the program more meaningful. Please keep it going. I would love nothing better than to find a bot on any of my equipment and destroy it.

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'

Re: Bot Education

cc_adame wrote: BruceW, are you looking for the ip that the traffic was going to?

The IP the user connected to, yes. That information could help users determine whether they are actually infected, or whether the detection resulted from visiting a host that happened to be part of a botnet. It might reduce the number of "false positive" complaints.

Re: Boot Education

My thanks to all the Comcast people for trying to lend me a hand. I realize that based on all the time you spend in the forums that you truly want to help. Also thanks to all the other poster that contribute as well.

This has been going on for so long I thought it might be a help to layo out some of the steps I have taken.

I use both AVG and MSRT and Malwarebytes to detect Unwanted files on all my computers. I have also installed WireShark to monitor packets and so far have never been able to catch the bot when it is active.

In addition I check the Routers outgoing and incoming logs and everything I get an alert there is no activity at the exact specified time. I am running a fairly good size network when you add up all the Kids phones and

games not to mention the desktop PCs but I can account for every Mac address that appears and there is no way anyone outside is accessing the network.

So you can see why I have had so much difficulty in tracking this down. I do not think my network is anything so complicated nor do I think it is much different than anyone else that has kids.

One of you mentioned that you do not have any software on my network that would allow you to pin point which connected item is infected..... Is there such software that I could install then remove it when the offending device it captures buy you? I believe I would be OK with that as long as I had the ability to remove it once the issue is resolved.

THe long and short of this is.. This is not a very simple thing to do and I wonder if the average person

has the skills and/or the time to devote to this program. I am 100% in favor of the alerts and go in search anew every time one arrives but I always find nothing. I am still hoping to find something, but I am not as enthusiastic I I once was.

Re: Boot Education

Although I never ended up catching the supposed bot, I tried the following. In my case I think it may have actually been a DNS prefetch from Firefox on an infected page -- Firefox automatically fetches DNS records for links that apppear on a page to make things faster (unless you turn it off), so if Comcast is looking at DNS queries as part/all of the source for the "you've got a bot" messages, then just visiting such a page might cause false positives despite no bot and no bot communications (Comcast likely can't tell us exactly what they look at, though, for the obvious reason that it would let the bot creators know how to avoid it).

Both methods require some things that "average" users probably don't have/can't easily do, but are not particularly exotic or complicated.

Method 1:

Set your router to point to a local caching DNS server that you run, and on that server, install dnsmasq (Linux) or similar software that caches DNS lookups and configure it to log every one of them (and configure it to use your normal Comcast DNS as the server it speaks to). If there's a particular host identified by name, this would probably catch it (at least once your devices all refresh their DHCP leases and get the new local DNS server IP), and tie it to a particular IP address in your house, which you can then resolve to a particular device. Obviously what you do then depends on whether it's an iPhone or a PC, but at least it would give you a single target to look at.

Method 2:

If you're running DD-WRT, TomatoUSB, or similar open router software, you can run tcpdump directly on that and log DNS or even all packets to a capture file, which you can analyze with Wireshark or other tools later. Likely much more effective than trying to run it locally on all PCs (plus if it's a really clever bot, it might be clever enough to not let Wireshark see its traffic... perhaps). If you don't have attached storage, you could pipe it through SSH like this (or probably a half dozen other ways):

tcpdump -i eth0 -w - |ssh user@somelocalhost "cat >dump.pcap"

To some other Linux box that's got plenty of space (assuming you have both ssh and tcpdump on your router). Even if you have a huge network, logging all of the WLAN packets probably would be manageable, and you could always filter it if you know more about the specific problem based on the Comcast tool.

Re: Bot Education

[ Edited ]

For some people a warning will go over their heads and they will click the link out of curiousity.

I have an old computer that I don't mind if something happens to it. I used that computer to click the link and was immediately taken to a page that looked like My Computer and a scan started, stating my system is infected.

I also closed out the page as soon as the scan started.

There is no LOL about posting a malicious link. It's totally irresponsible on your part to post a known bad link. One may think YOU are intentionally wanting to spread the malware.

FYI, if you had read the Posting Guidelines (which everyone should read before making his/her first post) you would have seen this:

Please Don’t:

5. Malicious Content

Posting content designed to disrupt or interfere with the operation of another member’s computer is not permitted. This may include, but is not limited to, linking to viruses and linking to pages that hijack browsers. Posting this brand of content will likely lead to the loss of posting privileges.

Thank you USAF for removing the post. You got to it mere seconds before I did.

edited to correct a spelling typo

Comcast employees must be authorized to post in the forum in an official capacity. Employees posting here have their names in red and are designated as employees. Names not in red are customers.

This is done to protect customers and for assurance that they are dealing with a Comcast employee.Non-Authorized Employees are allowed to post but cannot state they are employees nor can they allude to being employees.

Re: Bot Education

First off regarding the DNS changer bot. Could your company be more useless?

After 40 minutes on the phone. i am told to go to the website. this info could have been put in your annoying email.

Second. . Open "Terminal" (type "Terminal" in Spotlight) How about using language the rest of us understand? What is a spotlight? Is comcast familiar with the term "illustration?"

Your customers are begging for more informations and you dolts give us nothing. And the customers should not have to be explaining this to a giant corporate parasite.

Hi iamanalliecat,

I'm not a Comcast employee, and I share your frustration with their so-called Customer Service. Count your blessings that you were directed here relatively quickly.

There are some helpful people here, both technically knowledgeable customers, and Comcast employees who are as helpful as their corporate overlords will allow, which is reasonably helpful.

You're the first person I've seen come in swinging, so I don't know how much response you'll get calling these folks names.

I will share with you a link to their Am I Botted page, which is a beta page to give you something to go on, although some of us are lobbying for additional info. Bot Net Checker is a non-Comcast site I've seen recommended. Also, some of the specific bot FAQ's have IP address ranges of known botnets, so you can look for those if you are logging your outbound traffic from your router.

Other people have provided advice for finding and eliminating malware, so it is useful to read some of the posts.

Re: Bot Education

THANKS FOR THE INFORMATION ON THEIR MONEY BACK GUARANTEE, ESPECIALLY SINCE THEY REPORT I HAVE A BOT, CANT TELL ME WHY, AND SAID I WOULD GET MY MONEY BACK IF A BOT WAS NOT FOUND. THEY ALSO TOLD ME THEIR WAS NO DO IT YOURSELF FIX, WHEN THE LETTER SAYS THERE IS.

I ONLY HAVE AWEEK TO CLEAN MY COMPUTER OR LOSE CONNECTION EVEN THOUGH NONE OF MY COMPUTERS ARE REPORTING THE BOT THROUGH THE"TEST" THEY HAVE YOU DO AT DNS-OK.US